Is Dailymotion the Latest Mega-Breach Victim?

A website that archives stolen data claims that 87 million accounts have been hacked from the popular video website Dailymotion.

LeakedSource, which sells access to the archived data, says the database it has obtained contains usernames, emails and some hashed passwords. Neither Dailymotion nor its owner, Paris-based Vivendi, could be reached for comment.

Dailymotion hasn't put an advisory on its website, but as with any rumor of a breach, it's never too early to change your password.

LeakedSource claims Dailymotion was hacked around Oct. 20. The website does not name its sources for data leaks or the terms under which the data is obtained. Efforts to reach LeakedSource officials were unsuccessful.

Bad Year for Breaches

If the data is verified to be from Dailymotion, the website would become another entry in a long list of companies and services that have dealt with data breach discoveries this year.

This has been an unconventional year for data breaches, as authentication credentials stolen from companies many months or years ago suddenly surfaced in underground markets and on sites such as LeakedSource (see 'Historical Mega Breaches' Continue: Tumblr Hacked).

In some cases, it appeared that actors loosely connected with those who actually stole the data decided to try to monetize it before its market value fell too low. But given that most people rarely change their login credentials, the leaks still posed risks to millions of users (see LinkedIn, MySpace Hacker 'Urgently' Needs Money).

The victims included MySpace, LinkedIn, Dropbox, Tumblr and Yahoo. For some companies, the leaks revealed that previously known breaches or attacks were actually much worse than initially suspected. LinkedIn discovered that a 2012 breach had actually resulted in the theft of about 165 million accounts rather than just 6.5 million accounts, as originally believed.

Similar to LinkedIn, Dropbox detected an attack in mid-2012 that exploited an employee's password. Around that time, it also suspected that logins and passwords from other data breaches had been used to sign into a small number of accounts. But it became evident this year that 69 million user accounts had been compromised (see Dropbox's Big, Bad, Belated Breach Notification).

Hashed with Bcrypt

ZDNet, which obtained a sample of the alleged Dailymotion data, reported that the database contains 85.2 million email addresses. But hashed passwords were included for only 18.3 million accounts.

Hashing is a process that converts a plaintext password to a mathematical representation using an algorithm. Rather than store passwords, many organizations store hashes. When someone logs on, the plaintext password is hashed and then compared to the stored hash.

The Dailymotion passwords were hashed with bcrypt, which is considered a secure hashing algorithm. That's because it takes computers a long time to try to guess various combinations of passwords to generate a matching bcrypt hash. But it's not impossible, especially for well-resourced attackers with access to powerful computers, to crack passwords.

The breaches that came to light this year revealed that some companies used what are now considered weak hashing schemes, such as SHA-1. But many organizations began realizing several years ago that they needed to upgrade their defenses around passwords, including better hashing algorithms that are more resistant to password cracking.

Dailymotion hasn't put an advisory on its website, but as with any rumor of a breach, it's never too early to change your password.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.